Data Retention

< Back
You are here:

Data should be retained only for as long as it is necessary.  This means you will need to retain data whilst it is required for the processing which you need it for, but it also means that you might be able to retain the data for longer if you have a legitimate reason to continue holding it.

The life of an information asset should pass through a number of stages:

  • Data collection
  • Data usage
  • Retention trigger point
  • Retention period
  • Data destruction.

A good data management process will therefore recognise when data is required for its original use and the trigger point for retention.  The retention period should always be ‘for as long as is necessary’ but this could be anywhere from immediate to many years.  The rationale for the retention and the period should be documented and finally, action should be taken when the retention period comes to an end.  This action may be ‘destruction’, but equally it may be to ‘review’ the retention period, for example where there is a significant risk of litigation.

A practical example of this can be analysed with a common information asset which most organisations would recognise:

Information Asset: Health Surveillance (H&S)

Retention Trigger: Last Incident

Retention Period: 40 years

Rationale: Health & Safety at Work Act 1974

An example of a good data retention schedule can be found on the ICO’s website:

Mark Roebuck

Mark Roebuck

Building a career around data led programme management Mark recognised that existing data compliance solutions were complex and difficult for clients to use. Frustrated with the options he founded ProvePrivacy to provide an effective and simple to use data protection compliance solution.

Copyright:  All information and articles provided represent the views of ProvePrivacy Limited and our contributors.  They do not constitute legal or data protection advice. All rights reserved.

You Might Also Like